Cloudflare invalid credentials

[aniel300]

Checklist

• Have you pulled and found the error with jc21/nginx-proxy-manager:latest docker image?
  • No
• Are you sure you're not using someone else's docker image?
  • Yes
• Have you searched for similar issues (both open and closed)?
  • Yes

Describe the bug when i tried to renew ssl cert i get "internal error". note: am using wildcard with Cloudflare.

Nginx Proxy Manager Version latest as the time of this posting

To Reproduce Steps to reproduce the behavior:

1. Go to 'ssl certificate'
2. Click on 'renew cert'
3. See error

Expected behavior be able to renew cert which also bring me to a question. isn't npm supposed to auto do this ?

Screenshots https://i.imgur.com/3KpuUjy.png

Operating System ubuntu 18/docker

Additional context i did tried to find a similar issue to this and found some but i cant figure out if there is a fix for this or not some post i found: https://github.com/jc21/nginx-proxy-manager/issues/1659 https://github.com/jc21/nginx-proxy-manager/issues/1625

thank you in advance.

[chaptergy]

Have a look at https://github.com/jc21/nginx-proxy-manager/issues/1271, especially the certificate section and provide some the letsencrypt logs, otherwise the issue could be anything.

[aniel300]

ok will do sir, is it safe to share my logs here ?

[chaptergy]

The only sensitive information in the letsencrypt logs should be the domain and maybe the email address you entered as the notification address. You can search and replace them with placeholders if you like. The other information is ramdomly generated challenge data which is useless by the time you have posted the logs.

[lildevilx]

Hello,

I'm also having some issues and hoping you could give me some assistant, here is my log.

Letsencrypt Logs

``` 2021-12-22 02:04:40,467:DEBUG:certbot._internal.main:certbot version: 1.19.0 2021-12-22 02:04:40,468:DEBUG:certbot._internal.main:Location of certbot entry point: /opt/certbot/bin/certbot 2021-12-22 02:04:40,468:DEBUG:certbot._internal.main:Arguments: ['--non-interactive', '--config', '/etc/letsencrypt.ini', '--cert-name', 'npm-22', '--agree-tos', '--authenticator', 'webroot', '--email', '___@gmail.com', '--preferred-challenges', 'dns,http', '--domains', 'sub.domain.com'] 2021-12-22 02:04:40,468:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot) 2021-12-22 02:04:40,488:DEBUG:certbot._internal.log:Root logging level set at 30 2021-12-22 02:04:40,489:DEBUG:certbot._internal.plugins.selection:Requested authenticator webroot and installer None 2021-12-22 02:04:40,491:DEBUG:certbot._internal.plugins.selection:Single candidate plugin: * webroot Description: Place files in webroot directory Interfaces: Authenticator, Plugin Entry point: webroot = certbot._internal.plugins.webroot:Authenticator Initialized: Prep: True 2021-12-22 02:04:40,491:DEBUG:certbot._internal.plugins.selection:Selected authenticator and installer None 2021-12-22 02:04:40,491:INFO:certbot._internal.plugins.selection:Plugins selected: Authenticator webroot, Installer None 2021-12-22 02:04:40,587:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory. 2021-12-22 02:04:40,592:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org:443 2021-12-22 02:04:50,605:DEBUG:certbot._internal.log:Exiting abnormally: Traceback (most recent call last): File "/opt/certbot/lib/python3.7/site-packages/urllib3/connection.py", line 170, in _new_conn (self._dns_host, self.port), self.timeout, **extra_kw File "/opt/certbot/lib/python3.7/site-packages/urllib3/util/connection.py", line 73, in create_connection for res in socket.getaddrinfo(host, port, family, socket.SOCK_STREAM): File "/usr/lib/python3.7/socket.py", line 748, in getaddrinfo for res in _socket.getaddrinfo(host, port, family, type, proto, flags): socket.gaierror: [Errno -3] Temporary failure in name resolution During handling of the above exception, another exception occurred: Traceback (most recent call last): File "/opt/certbot/lib/python3.7/site-packages/urllib3/connectionpool.py", line 706, in urlopen chunked=chunked, File "/opt/certbot/lib/python3.7/site-packages/urllib3/connectionpool.py", line 382, in _make_request self._validate_conn(conn) File "/opt/certbot/lib/python3.7/site-packages/urllib3/connectionpool.py", line 1010, in _validate_conn conn.connect() File "/opt/certbot/lib/python3.7/site-packages/urllib3/connection.py", line 353, in connect conn = self._new_conn() File "/opt/certbot/lib/python3.7/site-packages/urllib3/connection.py", line 182, in _new_conn self, "Failed to establish a new connection: %s" % e urllib3.exceptions.NewConnectionError: : Failed to establish a new connection: [Errno -3] Temporary failure in name resolution During handling of the above exception, another exception occurred: Traceback (most recent call last): File "/opt/certbot/lib/python3.7/site-packages/requests/adapters.py", line 449, in send timeout=timeout File "/opt/certbot/lib/python3.7/site-packages/urllib3/connectionpool.py", line 756, in urlopen method, url, error=e, _pool=self, _stacktrace=sys.exc_info()[2] File "/opt/certbot/lib/python3.7/site-packages/urllib3/util/retry.py", line 574, in increment raise MaxRetryError(_pool, url, error or ResponseError(cause)) urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by NewConnectionError(': Failed to establish a new connection: [Errno -3] Temporary failure in name resolution')) During handling of the above exception, another exception occurred: Traceback (most recent call last): File "/opt/certbot/bin/certbot", line 8, in sys.exit(main()) File "/opt/certbot/lib/python3.7/site-packages/certbot/main.py", line 15, in main return internal_main.main(cli_args) File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/main.py", line 1572, in main return config.func(config, plugins) File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/main.py", line 1414, in certonly le_client = _init_le_client(config, auth, installer) File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/main.py", line 761, in _init_le_client acc, acme = _determine_account(config) File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/main.py", line 679, in _determine_account config, account_storage, tos_cb=_tos_cb) File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/client.py", line 180, in register acme = acme_from_config_key(config, key) File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/client.py", line 44, in acme_from_config_key client = acme_client.BackwardsCompatibleClientV2(net, key, config.server) File "/opt/certbot/lib/python3.7/site-packages/acme/client.py", line 840, in __init__ directory = messages.Directory.from_json(net.get(server).json()) File "/opt/certbot/lib/python3.7/site-packages/acme/client.py", line 1194, in get self._send_request('GET', url, **kwargs), content_type=content_type) File "/opt/certbot/lib/python3.7/site-packages/acme/client.py", line 1133, in _send_request response = self.session.request(method, url, *args, **kwargs) File "/opt/certbot/lib/python3.7/site-packages/requests/sessions.py", line 542, in request resp = self.send(prep, **send_kwargs) File "/opt/certbot/lib/python3.7/site-packages/requests/sessions.py", line 655, in send r = adapter.send(request, **kwargs) File "/opt/certbot/lib/python3.7/site-packages/requests/adapters.py", line 516, in send raise ConnectionError(e, request=request) requests.exceptions.ConnectionError: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by NewConnectionError(': Failed to establish a new connection: [Errno -3] Temporary failure in name resolution')) 2021-12-22 02:04:50,619:ERROR:certbot._internal.log:An unexpected error occurred: 2021-12-22 02:04:50,621:ERROR:certbot._internal.log:requests.exceptions.ConnectionError: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by NewConnectionError(': Failed to establish a new connection: [Errno -3] Temporary failure in name resolution')) ```

Thanks!

[chaptergy]

@lildevilx Your issue seems to be related to your docker container being misconfigured and not being able to connect to the internet / a dns server. Have a look at https://github.com/jc21/nginx-proxy-manager/issues/1482 or https://github.com/jc21/nginx-proxy-manager/issues/1365.

[RonnieBlaze]

I am having the same issue when trying to manually renew my cerfts, I have 11 days left on them, so it looks like the auto renew has not been work either. I am running NPM v2.9.13 in a unraid docker, using cloudflare for dns,

My docker log shows this,

[12/28/2021] [9:10:34 AM] [SSL ] › ℹ info Renewing Let'sEncrypt certificates for Cert #12: tautulli.xxx.com
[12/28/2021] [9:10:34 AM] [SSL ] › ℹ info Command: certbot renew --force-renewal --config "/etc/letsencrypt.ini" --cert-name "npm-12" --preferred-challenges "dns,http" --no-random-sleep-on-renew --disable-hook-validation
[12/28/2021] [9:10:34 AM] [Express ] › ⚠ warning Command failed: certbot renew --force-renewal --config "/etc/letsencrypt.ini" --cert-name "npm-12" --preferred-challenges "dns,http" --no-random-sleep-on-renew --disable-hook-validation
An unexpected error occurred:
pkg_resources.ContextualVersionConflict: (cryptography 36.0.1 (/usr/lib/python3.8/site-packages), Requirement.parse('cryptography<4,>=2'), {'dns-lexicon'})
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /tmp/tmpy2mllf8d/log or re-run Certbot with -v for more details.

certbot logs show

2021-12-28 09:37:47,142:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/bin/certbot", line 8, in <module>
    sys.exit(main())
  File "/usr/lib/python3.8/site-packages/certbot/main.py", line 19, in main
    return internal_main.main(cli_args)
  File "/usr/lib/python3.8/site-packages/certbot/_internal/main.py", line 1593, in main
    plugins = plugins_disco.PluginsRegistry.find_all()
  File "/usr/lib/python3.8/site-packages/certbot/_internal/plugins/disco.py", line 241, in find_all
    plugin_ep = cls._load_entry_point(entry_point, plugins, with_prefix=False)
  File "/usr/lib/python3.8/site-packages/certbot/_internal/plugins/disco.py", line 261, in _load_entry_point
    plugin_ep = PluginEntryPoint(entry_point, with_prefix)
  File "/usr/lib/python3.8/site-packages/certbot/_internal/plugins/disco.py", line 60, in __init__
    self.plugin_cls: Type[interfaces.Plugin] = entry_point.load()
  File "/usr/lib/python3.8/site-packages/pkg_resources/__init__.py", line 2464, in load
    self.require(*args, **kwargs)
  File "/usr/lib/python3.8/site-packages/pkg_resources/__init__.py", line 2487, in require
    items = working_set.resolve(reqs, env, installer, extras=self.extras)
  File "/usr/lib/python3.8/site-packages/pkg_resources/__init__.py", line 782, in resolve
    raise VersionConflict(dist, req).with_context(dependent_req)
pkg_resources.ContextualVersionConflict: (cryptography 36.0.1 (/usr/lib/python3.8/site-packages), Requirement.parse('cryptography<4,>=2'), {'dns-lexicon'})
2021-12-28 09:37:47,142:ERROR:certbot._internal.log:An unexpected error occurred:
2021-12-28 09:37:47,142:ERROR:certbot._internal.log:pkg_resources.ContextualVersionConflict: (cryptography 36.0.1 (/usr/lib/python3.8/site-packages), Requirement.parse('cryptography<4,>=2'), {'dns-lexicon'})

[aniel300]

sorry for my ignorance where is it that i find the required logs ? maybe here ?: \docker\proxymanager\data\logs

[aniel300]

here is the docker logs, let me know if u need anything else and also if i have included any sensible info.

Docker Logs

``` at ChildProcess.emit (node:events:390:28) at maybeClose (node:internal/child_process:1064:16) at Socket. (node:internal/child_process:450:11) at Socket.emit (node:events:390:28) at Pipe. (node:net:687:12) [12/28/2021] [9:24:33 PM] [SSL ] › ℹ info Renewing SSL certs close to expiry... [12/28/2021] [9:30:18 PM] [SSL ] › ✖ error Error: Command failed: certbot renew --non-interactive --quiet --config "/etc/letsencrypt.ini" --preferred-challenges "dns,http" --disable-hook-validation Failed to renew certificate npm-1 with error: Error determining zone_id: 9109 Invalid access token. Please confirm that you have supplied valid Cloudflare API credentials. (Did you enter a valid Cloudflare Token?) All renewals failed. The following certificates could not be renewed: /etc/letsencrypt/live/npm-1/fullchain.pem (failure) 1 renew failure(s), 0 parse failure(s) at ChildProcess.exithandler (node:child_process:397:12) at ChildProcess.emit (node:events:390:28) at maybeClose (node:internal/child_process:1064:16) at Process.ChildProcess._handle.onexit (node:internal/child_process:301:5) [12/28/2021] [10:24:33 PM] [SSL ] › ℹ info Renewing SSL certs close to expiry... [12/28/2021] [10:29:00 PM] [SSL ] › ✖ error Error: Command failed: certbot renew --non-interactive --quiet --config "/etc/letsencrypt.ini" --preferred-challenges "dns,http" --disable-hook-validation Failed to renew certificate npm-1 with error: Error determining zone_id: 9109 Invalid access token. Please confirm that you have supplied valid Cloudflare API credentials. (Did you enter a valid Cloudflare Token?) All renewals failed. The following certificates could not be renewed: /etc/letsencrypt/live/npm-1/fullchain.pem (failure) 1 renew failure(s), 0 parse failure(s) at ChildProcess.exithandler (node:child_process:397:12) at ChildProcess.emit (node:events:390:28) at maybeClose (node:internal/child_process:1064:16) at Process.ChildProcess._handle.onexit (node:internal/child_process:301:5) [12/28/2021] [11:24:33 PM] [IP Ranges] › ℹ info Fetching IP Ranges from online services... [12/28/2021] [11:24:33 PM] [IP Ranges] › ℹ info Fetching https://ip-ranges.amazonaws.com/ip-ranges.json [12/28/2021] [11:24:33 PM] [IP Ranges] › ℹ info Fetching https://www.cloudflare.com/ips-v4 [12/28/2021] [11:24:33 PM] [IP Ranges] › ℹ info Fetching https://www.cloudflare.com/ips-v6 [12/28/2021] [11:24:33 PM] [Nginx ] › ℹ info Reloading Nginx [12/28/2021] [11:24:33 PM] [SSL ] › ℹ info Renewing SSL certs close to expiry... [12/28/2021] [11:25:04 PM] [SSL ] › ✖ error Error: Command failed: certbot renew --non-interactive --quiet --config "/etc/letsencrypt.ini" --preferred-challenges "dns,http" --disable-hook-validation Failed to renew certificate npm-1 with error: Error determining zone_id: 9109 Invalid access token. Please confirm that you have supplied valid Cloudflare API credentials. (Did you enter a valid Cloudflare Token?) All renewals failed. The following certificates could not be renewed: /etc/letsencrypt/live/npm-1/fullchain.pem (failure) 1 renew failure(s), 0 parse failure(s) at ChildProcess.exithandler (node:child_process:397:12) at ChildProcess.emit (node:events:390:28) at maybeClose (node:internal/child_process:1064:16) at Process.ChildProcess._handle.onexit (node:internal/child_process:301:5) [12/29/2021] [12:24:33 AM] [SSL ] › ℹ info Renewing SSL certs close to expiry... [12/29/2021] [12:27:16 AM] [SSL ] › ✖ error Error: Command failed: certbot renew --non-interactive --quiet --config "/etc/letsencrypt.ini" --preferred-challenges "dns,http" --disable-hook-validation Failed to renew certificate npm-1 with error: Error determining zone_id: 9109 Invalid access token. Please confirm that you have supplied valid Cloudflare API credentials. (Did you enter a valid Cloudflare Token?) All renewals failed. The following certificates could not be renewed: /etc/letsencrypt/live/npm-1/fullchain.pem (failure) 1 renew failure(s), 0 parse failure(s) at ChildProcess.exithandler (node:child_process:397:12) at ChildProcess.emit (node:events:390:28) at maybeClose (node:internal/child_process:1064:16) at Process.ChildProcess._handle.onexit (node:internal/child_process:301:5) [12/29/2021] [1:24:33 AM] [SSL ] › ℹ info Renewing SSL certs close to expiry... [12/29/2021] [1:27:58 AM] [SSL ] › ✖ error Error: Command failed: certbot renew --non-interactive --quiet --config "/etc/letsencrypt.ini" --preferred-challenges "dns,http" --disable-hook-validation Failed to renew certificate npm-1 with error: Error determining zone_id: 9109 Invalid access token. Please confirm that you have supplied valid Cloudflare API credentials. (Did you enter a valid Cloudflare Token?) All renewals failed. The following certificates could not be renewed: /etc/letsencrypt/live/npm-1/fullchain.pem (failure) 1 renew failure(s), 0 parse failure(s) at ChildProcess.exithandler (node:child_process:397:12) at ChildProcess.emit (node:events:390:28) at maybeClose (node:internal/child_process:1064:16) at Process.ChildProcess._handle.onexit (node:internal/child_process:301:5) [12/29/2021] [2:24:33 AM] [SSL ] › ℹ info Renewing SSL certs close to expiry... [12/29/2021] [2:30:56 AM] [SSL ] › ✖ error Error: Command failed: certbot renew --non-interactive --quiet --config "/etc/letsencrypt.ini" --preferred-challenges "dns,http" --disable-hook-validation Failed to renew certificate npm-1 with error: Error determining zone_id: 9109 Invalid access token. Please confirm that you have supplied valid Cloudflare API credentials. (Did you enter a valid Cloudflare Token?) All renewals failed. The following certificates could not be renewed: /etc/letsencrypt/live/npm-1/fullchain.pem (failure) 1 renew failure(s), 0 parse failure(s) at ChildProcess.exithandler (node:child_process:397:12) at ChildProcess.emit (node:events:390:28) at maybeClose (node:internal/child_process:1064:16) at Process.ChildProcess._handle.onexit (node:internal/child_process:301:5) [12/29/2021] [3:24:33 AM] [SSL ] › ℹ info Renewing SSL certs close to expiry... [12/29/2021] [3:28:17 AM] [SSL ] › ✖ error Error: Command failed: certbot renew --non-interactive --quiet --config "/etc/letsencrypt.ini" --preferred-challenges "dns,http" --disable-hook-validation Failed to renew certificate npm-1 with error: Error determining zone_id: 9109 Invalid access token. Please confirm that you have supplied valid Cloudflare API credentials. (Did you enter a valid Cloudflare Token?) All renewals failed. The following certificates could not be renewed: /etc/letsencrypt/live/npm-1/fullchain.pem (failure) 1 renew failure(s), 0 parse failure(s) at ChildProcess.exithandler (node:child_process:397:12) at ChildProcess.emit (node:events:390:28) at maybeClose (node:internal/child_process:1064:16) at Process.ChildProcess._handle.onexit (node:internal/child_process:301:5) Connection Error: Error: read ECONNRESET Connection Error: Error: read ECONNRESET [12/29/2021] [4:03:27 AM] [SSL ] › ℹ info Renewing Let'sEncrypt certificates via Cloudflare for Cert #1: *.qbanguy.xyz [12/29/2021] [4:03:27 AM] [SSL ] › ℹ info Command: certbot renew --config "/etc/letsencrypt.ini" --cert-name "npm-1" --disable-hook-validation --no-random-sleep-on-renew [12/29/2021] [4:03:30 AM] [Express ] › ⚠ warning Command failed: certbot renew --config "/etc/letsencrypt.ini" --cert-name "npm-1" --disable-hook-validation --no-random-sleep-on-renew Saving debug log to /var/log/letsencrypt/letsencrypt.log Unsafe permissions on credentials configuration file: /etc/letsencrypt/credentials/credentials-1 Failed to renew certificate npm-1 with error: Error determining zone_id: 9109 Invalid access token. Please confirm that you have supplied valid Cloudflare API credentials. (Did you enter a valid Cloudflare Token?) All renewals failed. The following certificates could not be renewed: /etc/letsencrypt/live/npm-1/fullchain.pem (failure) 1 renew failure(s), 0 parse failure(s) Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details. ```

[chaptergy]

@aniel300 Your logs say

Failed to renew certificate npm-1 with error: Error determining zone_id: 9109 Invalid access token. Please confirm that you have supplied valid Cloudflare API credentials. (Did you enter a valid Cloudflare Token?)

Have you provided valid credentials?

[aniel300]

Yes. this wildcard cert was created by the first host i did.

[chaptergy]

Then your issue is either related to https://github.com/jc21/nginx-proxy-manager/pull/1697, or it is not an npm issue at all. Go ahead and try using docker image jc21/nginx-proxy-manager:github-pr-1697. If that does not work, try it with your own installation of certbot to see if that works.

EDIT: sorry, I got confused by all the different issues in this thread, forgot that you are the original author.

[chaptergy]

It could also be possible that the reason is the slightly changed namespace syntax in certbot. You should connect to the database, go to the certificate table, and the meta column for your certificates row should contain your credentials. Make sure it says dns_cloudflare_api_token = ... and not something like certbot-dns-cloudflare:dns_cloudflare_api_token = ...

[aniel300]

Then your issue is either related to #1697, or it is not an npm issue at all. Go ahead and try using docker image jc21/nginx-proxy-manager:github-pr-1697. If that does not work, try it with your own installation of certbot to see if that works.

ahh ok. so does this response still valid ?

[chaptergy]

Sure, so first check the database, if that does not work try the different docker image, and if that still does not work try it with a custom certbot installation on a different machine.

[aniel300]

i can try to do few of those things except for the one of using a different machine since this is a dedicated server

[christofkac]

Hi, I don't know if this is related but I ran into the same problem. It is important to configure your DNS entry In Cloudflare as "DNS only" as long as you don't have a certificate and once the certificate is created, switch to "Proxied". Hope that helps

[aniel300]

@christofkac i tried with dsn only and issue still happening

[github-actions[bot]]

Issue is now considered stale. If you want to keep it open, please comment :+1:

[aniel300]

closing as i never got it fix or got the time to attempt to fix it. long time has passed and I now use traefik. still this project is amazing for pp looking to get into reverse proxies and want/ need a ui to help them trough the journey. thank u to the devs and keep up the good work.